Don Calfa wrote: > Vaughn Treude wrote: > >> Hello all: >> I know there are a lot of PHP gurus on this list, so hopefully it's >> not too off-topic. >> I'm a newbie to PHP and I'm struggling with a login script for my >> organization's website. I'm using an example script I got off the >> Web somewhere. It uses MySQL through the "PEAR" database driver. >> Here's the code snippet for the connection code in db_connect.php: >> >> --------------------------- >> >> //require the PEAR::DB classes. >> >> require_once 'DB.php'; >> >> >> $db_engine = 'mysql'; >> $db_user = 'XXXX'; >> $db_pass = 'YYYYYYYY'; >> $db_host = 'ieeepacn.com'; >> $db_name = 'ZZZZZZZ'; >> >> $datasource = $db_engine.'://'. >> $db_user.':'. >> $db_pass.'@'. >> $db_host.'/'. >> $db_name; >> >> >> $db_object = DB::connect($datasource, TRUE); >> >> ------------------------ >> >> This works, but it occurs to me: how can this thing possibly be >> secure? The password's there in clear text. A person would only >> need read access to get it. And if the PHP file's not globally >> readable, the login fails. Is there some factor here I'm missing >> such that it's more protected than I think? Or is there a better way >> to approach this? >> >> Thanks! >> Vaughn >> >> >> > 1. If the webserver parses PHP not as text, no one will be able to > read the contents of the file from the browser. > 2. You can create a user for MySQL that only has rights to the DB and > not login to the server. > 3. You can split the variables from the connection string into 2 files. > 4. You can encrypt the variables (Like $db_pass = "cGFzc3dvcmQ="; in > 1 file and in another file $db_engine = > {...base64_decode($db_pass)...;}. (there are tons of ways to do this) > 5. You can obfuscate the entire script (from: > http://richard.fairthorne.is-a-geek.com/utils_obfuscate.php): > > VY9NDoIwEEbXkHCHWZBUE1P2+IMheAGjibohpUwE > Iy1QWHh7GaARv676pjPzGh1abPqyxVQricCSmNdF > zbaeS8fPsxTVs1QIe2DVxzRvKhHuDbYEb0Msq4Ux > xO5zLC+06YiXiFgLqbjUla0pUY3DH1OmzX4uOmF0 > 30qq/Sw4C4OAcc91HAfAagz0j5EGZ8eJwQzJgbOp > GcA+pe2Lv+rshZJUkzgMpVZquK0WMhu4nK+n9dix > i74= > '))); ?> > > I use #2 and #3 and make sure only that permission is available from > localhost for production. I sometimes use #5 in situations that I > need to protect myself (the tinkerer that messes with the code then > suddenly calls 'Hey, this doesn't work!'). > > If anyone wants access to the DB, they'll get it. You just have to > make it not easy. > > > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change you mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss That is a great tip, thanks! JD -- JD Austin Twin Geckos Technology Services LLC email: jd@twingeckos.com http://www.twingeckos.com phone/fax: 480.344.2640 --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change you mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss